[clamav-users] CVE_2021_4034-9951522 false positives on node executables

Maarten Broekman maarten.broekman at gmail.com
Tue Aug 2 21:18:42 UTC 2022 

That's the only thing I can think of. I had node 18.6.0 and I'm running
ClamAV 0.105.0. That detected the node binary as having the same virus.
However, when I upload and scan the binary with VirusTotal, their install
of ClamAV does not detect it.

Similarly, after I upgraded to node 18.7.0, my local install of ClamAV
still detected it with the same virus. And, again, when I uploaded it to
VirusTotal, it came back as clean.

Running clamscan with --leave-temps and setting a --tempdir, I get no
temporary files left behind.

Additionally, using the 'strings' command to get any/all ASCII strings from
the binary (yes, I know it doesn't always help) doesn't show anything...

That being said, the signature does seem to be poorly written and likely to
catch lots of false positives...

It's looking for more than one occurrence of "/usr/bin/pkexec" *and*
CMDTOEXECUTE=
*and* NOTTY= *and* NOTTY_PORT= *and* GCONV_PATH= ...
   OR more than 3 occurrences of the "Unable to" messages (any of them) ...
   OR more than 1 occurrence of the woody paths or 'payload.so'

VIRUS NAME: Osx.Exploit.CVE_2021_4034-9951522-1
TDB: Engine:91-255,Target:9
LOGICAL EXPRESSION: (0&1&2&3&4)>1|(5|6|7|8)>3|(9|10|11)>1
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
/usr/bin/pkexec
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
CMDTOEXECUTE=
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
NOTTY=
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
NOTTY_PORT=
 * SUBSIG ID 4
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
GCONV_PATH=
 * SUBSIG ID 5
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Unable to execute pkexec
 * SUBSIG ID 6
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Unable to write  payload
 * SUBSIG ID 7
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Unable to make tmp dir
 * SUBSIG ID 8
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Unable to write gconv module
 * SUBSIG ID 9
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
/Users/woody/Downloads/vul/poc-cve-2021-4034-main/exploit.go
 * SUBSIG ID 10
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
/Users/woody/Downloads/vul/poc-cve-2021-4034-main/payload/payload.go
 * SUBSIG ID 11
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
payload.so

And it's that last one that is triggering the virus detection...
lothlorien:~$ grep -a payload.so node
    ArrayPrototypeIndexOf(payload.sources, originalSourcePath);
  if (payload.sourcesContent?.[sourceContentIndex]) {
    source = payload.sourcesContent[sourceContentIndex];

There are no occurrences of sub-signatures 0 through 10... but there are 3
occurrences of sub-signature 11 and the way that the logical expression is
written, that's enough to trigger the detection.

--Maarten



On Tue, Aug 2, 2022 at 4:12 PM Viktor Rosenfeld via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hi,
>
> Is it possible that the infected file is only found in arm64 versions?
> When I go to https://nodejs.org/en/, it prompts me to download files for
> x64. However, I am on an Apple Air M1 and I just verified that the
> installed node binary is an arm64 executable.
>
> Cheers,
> Viktor
>
> Am 01.08.2022 um 15:24 schrieb Al Varnell <alvarnell at mac.com>:
>
> I downloaded and installed both current versions of Node.js 16.16.0 LTS &
> 18.7.0 from <https://nodejs.org/en/> and no infected files were found.
>
> -Al-
> --
> ClamXAV user
>
> On Mon, Aug 01, 2022 at 02:50 AM, Viktor Rosenfeld via clamav-users wrote:
>
> Hi,
>
> about a month ago I reported a possible false positive on nodejs
> executables and related files [1]. After checking with Jotti’s Virus Scan
> and Virustotal, I also (twice) submitted the files to the ClamAV website as
> false positives [2].
>
> I haven’t received a notification after the false positive submissions
> and, meanwhile, newer versions of nodejs are still reported as being
> infected.
>
> What else can I do to verify that this is indeed a false positive?
>
> Best,
> Viktor
>
> [1] https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html
> [2] https://www.clamav.net/reports/fp
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220802/423158c2/attachment.htm>

More information about the clamav-users mailing list